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Abstract. Key substitution vulnerable signature schemes are signature 
schemes that permit an intruder, given a public verification key and a 
signed message, to compute a pair of signature and verification keys 
such that the message appears to be signed with the new signature key. 
Schemes vulnerable to this attack thus permit an active intruder to claim 
to be the issuer of a signed message. 

A digital signature scheme is said to be vulnerable to destructive ex- 
clusive ownership property (DEO) If it is computationaly feasible for an 
intruder, given a public verification key and a pair of message and its 
valid signature relatively to the given public key (m,s), to compute a 
pair of signature and verification keys and a new message m' such that 
s is a valid signature of m' relatively to the new verification key. 
In this paper, we investigate and solve positively the problem of the de- 
cidability of symbolic cryptographic protocol analysis when the signature 
schemes employed in the concrete realisation have this two properties. 



1 Introduction 

According to West's Encyclopedia of American Law, a signature is 

"A mark or sign made by an individual on an instrument or document 
to signify knowledge, approval, acceptance, or obligation. . . [Its purpose] 
is to authenticate a writing, or provide notice of its source^. . . " 

We will not deal any further with legal considerations, but it is interesting to note 
that while digital signatures are primarily employed to authenticate a document, 
i.e. ensure that the signer endorses the content of the document, they can also 
be employed to prove the origin of a document, i.e. ensure that only one person 
could have signed it. Indeed, most of the cryptographic work on digital signatures 
has aimed at certifying that no-one could sign a document in the place of someone 
else. 

The analysis of digital signature primitives has however focused on the for- 
mer authentication property. Formally speaking, the yardstick security notion 
for assessing the robustness of a digital signature scheme is the existential en- 
forceability against adaptative chosen-message attacks (UNF-CCA) [10]. This 
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notion states that, given a signing key/verification key pair, it is infeasible for 
someone ignorant of the signing key to forge a message that can pass the verifica- 
tion with the pubhc verification key, and this even when messages devised by the 
attacker are signed beforehand. The security goal provided by this property is 
the impossibihty (within given computing bounds) to impersonate a legitimate 
user (i.e. one that does not reveal its signature key) when signing a message. 

We note that this robustness does not address the issue of the identification of 
a source of a message. However, this latter concept is also pertaining to digital 
signatures when they are employed in a non-repudiation protocol. While one 
would not differentiate the two properties at first glance, they are different since 
the authentication property requires the existence of the participation of the 
signer in the creation of the message, while the latter mandates the unicity of a 
possible creator of a message. 

The two notions of message authentication and source authentication collapse 
in the single-user setting when there exists only one pair of signature/verification 
keys. They may however be different in a multi-user setting. We believe that the 
first work in this direction was the discovery of a flaw on the Station-to-Station 
protocol by Blake- Wilson and Menezes [12], where the authors show how it is 
possible to confuse a participant into thinking it shares a key with another per- 
son than the actual one. The attack consisted in the creation, by the attacker, 
of a signature/ verification key pair dependent upon messages sent in the proto- 
col. Defining a signature scheme to have the Duplicate Signature Key Selection 
(DSKS) property if it permits such a construction with non-negligible prob- 
ability, they showed that several standard signature schemes (including RSA, 
DSA, ECDSA and ElGamal) had this property, but also that a simple counter- 
measure (signing the public key along with the message) existed in all cases, 
but was rarely implemented. This DSKS property was formally defined as Key 
substitution in [2], where it is also discussed, after a review of what could be 
called an attack on a signature scheme in the multi-user setting. It was also later 
presented independently in [8] as Conservative Exclusive Ownership. The com- 
panion property of Destructive Exclusive Ownership by which an intruder may 
also change arbitrarily the signed message is also introduced and they showed 
that the usual signature algorithms (such as RSA and DSS) have this property. 
While the same attacks as in [2] arc exhibited, the authors also demonstrate 
how this can be used in practice to poison a badly implemented PKI with fake 
CRLs (T. Pornin, personal commimication) . 

Automated validation of security protocols. Cryptographic protocols have been 
applied to securing communications over an insecure network for many years. 
While these protocols rely on the robustness of the employed security primitives, 
their design is error-prone. This difficulty is reflected by the repeated discovery 
of logical flaws in proposed protocols, even under the assumption that crypto- 
graphic primitives were perfect. As an attempt to solve the problem, there has 
been a sustained effort to devise formal methods for specifying and verifying the 
security goals of protocols. Various symbolic approaches have been proposed to 
represent protocols and reason about them, and to attempt to verify security 



properties such as confidentiality and authenticity, or to discover bugs. Such 
approaches include process algebra, model-checking, equational reasoning, con- 
straint solving and resolution theorem-proving (e.g., [14,9, 16, 1]). 

Our goal is to adapt the symbolic model of concrete cryptographic primitives 
in order to reflect inasmuch as possible their imperfections that could be used by 
an attacker to find a fiaw on a protocol. The work described in this paper relies 
on the compositionality result obtained in [17] that permits us to abstract from 
other primitives and consider protocols that only involve a signature scheme 
having DSKS property (resp. vulnerable to DEO property). 

Outline. In Section 2 we will present an attack by Back et al. demonstrating 
how an actual intruder can use the DSKS property of a signature scheme to 
attack a protocol. We then describe in Section 3 the formalism in which we 
will analyse cryptographic protocols. In Section 4 we present how we model 
the possible actions of an intruder taking advantage of the DSKS property of 
a signature scheme and in section 5, we present how we model the possible 
actions of an intruder taking advantage of the vulnerability of signature scheme 
to DEO property. We present in Section 7 an algorithm that permits to reduce 
the analysis to an analysis in the empty equational theory, and give in Section 8 
a decision procedure for the reachability problem in these protocols. We conclude 
in Section 9. 

2 An example of attack 

We do not present here the original attack on the station-to-station protocol, but 
one that we believe to be simpler, and given by Baek et al. [3] on the KAP-HY 
{Key Agreement protocol, proposed by Hirosi and Yoshida in [11]). 

Presentation of the KAP-HY protocol. This protocol relics on a redundant sig- 
nature scheme to provide key confirmation at the end of a key exchange. The 
signature of a message m by agent A is denoted sa("t-)- Abstracting the details 
of the Diffie-Hellman key construction with messages ua and Ub, and of the 
signature scheme, the protocol reads as follows: 

A^ B -.UA^A 

B ^ A: Ub, ss(ua), B 

A^ B : sa{sb{ua),ub) 
An unknown key share (UKS) attack on a key agreement protocol is an attack 
whereby two entities A and B participating in a key agreement protocol may 
end the protocol successfully, but with a wrong belief on who shares a key with 
who. In [3], Baek et al. showed that the redundant signature scheme employed 
in the KAP-HY protocol possesses the DSKS property, and elaborate on this 
to show that the KAP-HY is vulnerable to a UKS attack. In this attack, the 

intruder E waits that A initiates a session with him: 
(1) A^E:uA,A (2) E ^ A: ub,sb{ua),E 

(1') E^B:uA,A (3) ^1 ^ S : s^(sb(u^), ws) 

{2') B ^ E{A) ■.UB,SBiuA),B {i') E B : sa{sb{ua),ub) 



In this attack, the intruder E records, but passes unchanged, the first mes- 
sage, and initiates a session as A with B. It then intercepts the second message, 
and builds from the public key of B and from the message sb{ua) a signa- 
ture/verification key pair, and registers this key pair. E then passes the signa- 
ture, but this time accompanied by its identity (2'). The main point is that when 
A checks the signature of the incoming message, it accepts it on the ground that 
it seems to originate from E. At the end of this execution. A believes that the 
key is shared with E whereas it is actually shared with B. 

The computation of the new pair of keys {Pe,Se) proceeds as follows. At 
the end of flow (2), the intruder knows the signature of ua made by Bob using 
his public key, then, by using DSKS property of the used signature scheme, he 
creates the new pair of keys {Pe, Se)- The crucial point, common to all DSKS 
attacks, is the construction of a new key pair from a public verification key and 
from a signed message. We will model this operation with appropriate deduction 
rules, and prove that protocol analysis remains decidable. 

3 Formal setting 
3.1 Basic notions 

We consider an infinite set of free constants C and an infinite set of variables 
X. For any signature Q {i.e. sets of function symbols not in C with arities) we 
denote T{g) (rcsp. T{g,X)) the set of terms over G UC (resp. G U C U X). 
The former is called the set of ground terms over Q, while the latter is simply 
called the set of terms over Q. The arity of a function symbol g is denoted 
by ar(5). Variables are denoted by x, y, terms are denoted by s, t, u, v, and 
finite sets of terms are written E,F,..., and decorations thereof, respectively. We 
abbreviate EU F hy E,F, the union E U {t} by E, t and E\ {t} hy E\t. The 
subterms of a term t are denoted Sub(t) and are defined recursively as follows. 
If t is an atom {i.e. t € X U C) then Suh{t) = {t}. If t = g{ti, . . . ,tn) then 
Sub(i) = {t} U Sub(ti). The positions in a term t are sequences of integers 
defined recursively as follows, e being the empty sequence representing the root 
position in t. We write p < qio denote that the position p is a prefix of position 
q. If ti is a subterm of t at position p and if u = . . . , Un) then Ui is at 

position p • i in t for i e {1, . . . , n}. We write t\p the subterm of t at position p. 
We denote t[s] a term t that admits s as subterm. The size of a term t is the 
number of distinct subterms of t. The notation is extended as expected to a set 
of terms. 

A substitution a is an involutive mapping from X to T(C/, X) such that 
Supp(cr) = {a;|cr(a;) ^ x}, the support of a, is a finite set. The application of 
a substitution cr to a term t (resp. a set of terms E) is denoted ta (resp. Ea) 
and is equal to the term t (resp. E) where all variables x have been replaced by 
the term a{x). A substitution cr is ground w.r.t. Q if the image of Supp((T) is 
included in T(^). 

An equational presentation Ti. = {Q.,A) is defined by a set A of equations 
u = V with u,v € T{g,X) and u,v without free constants. For any equational 



presentation Ti the relation denotes the equational theory generated by 
{QtA) on T(^?,A'), that is the smaUest congruence containing aU instances of 
axioms of A. Abusively we shall not distinguish between an equational presenta- 
tion l-L over a signature Q and a set A of equations presenting it and we denote 
both by 7i. If the equations of A can be oriented from left to right, we write the 
equations in A with an arrow, I — > r. The equations can then only be employed 
from left to right, and A is called a rewrite system. An equational theory can 
in this case be defined by a rewrite system. An equational theory Ti. is said to 
be consistent if two free constants are not equal modulo 7i or, cquivalcntly, if it 
has a model with more than one element modulo TL. 

Let ^ be a set of rewrite rules I r. The rewriting relation between 
terms is defined by t t' if there exists I r G A and a substitution a such 
that la = s and ra = s' , t ~ t[s] and t' ^ t[s ^ s']. A is convergent if and only 
if it is terminating and confluent. In this case, all rewriting sequences starting 
from t are finite and have the same limit, and this limit is called the normal form 
of t. We denote this normal form {t)i^, or when the considered rewriting 
system is clear from the context. A substitution a is in normal form if for all 
X G Supp((7), the term <7{x) is in normal form. 

3.2 Unification systems 

In the rest of this section, we let Ti be an equational theory on T{Q, X) and A 
be a convergent rewriting system generating H. 

Definition 1. (Unification systems) LetTi he an equational theory on"T{Q,X). 
A 7i -unification system S is a finite set of pairs of terms in T{Q, X) denoted by 

{ui = HVi}i£{i,....n}- It is satisfied by a substitution a, and we note a \= -hS, if 
for all i £ {1, . . . , n} we have Uia =-h Via. In this case we call a a solution or a 
unifier ofS. 

When Ti. is generated by A, the confluence implies that if cr is a solution 
of a TY-unification system, then (cr)| is also a solution of the same unification 
system. Accordingly we will consider in this paper only solutions in normal form 
of unification systems. A complete set of unifiers of a 7i- unification system <S is a 
set S of substitutions such that, for any solution r of S, there exists a £ S and 
a substitution r' such that r =-h ar' . The unifier r is a most general unifier of 
S if the substitution t' in the preceding equation must be a variable renaming. 

In the context of unification modulo an equational theory, standard (or syn- 
tactic) unification will also be called unification in the empty theory. In this 
case, it is well-known that there exists a unique most general unifier of a set of 
equations. This imifier is denoted mgu{S), or mgu{s, t) in the case 5 = |s =0 

Unifiability Problem 

Input: A 7i-unification system S. 

Output: Sat iff there exists a substitution a such that a \=-}-i S. 



Let us now introduce the notion of narrowing, that informally permits to 
instantiate and rewrite a term in a single step. 

Definition 2. (Narrowing) Let s and t he two terms. We say t s iff there 
exists I r E A, a position p such that t\p ^ X and s = ta[p ^ rcr], where 
a = mgu{t\p,l). We denote by -w the narrowing relation. 

Assume t t' with a rule I — > r applied at a position p in t. A basic position in 
t' is either a non-variable position of t not under p or a position p ■ q where q is 
a non-variable position in r. Basic narrowing is a restricted form of narrowing 
where only terms at basic positions are considered to be narrowed. In the rest 
of this paper, we denote t ~^b.n. t' a basic narrowing step. 

3.3 Intruder deduction systems 

The notions that we give here have been defined in [17]. These definitions have 
since been generalised to consider a wider class of intruder deduction systems 
and constraint systems [15]. Although this general class encompasses all intruder 
deduction systems and constraint systems given in this paper, we have preferred 
to give the simpler definitions from [17] which are sufficient for stating our prob- 
lem. We will refer, without further justifications, to the model of [15] as extended 
intruder systems and extended constraint systems. The latter correspond to sym- 
bolic derivations in which a most general unifier of the unification system has 
been applied on the input/output messages. 

In the context of a security protocol (see e.g. [5] for a brief overview), we 
model messages as ground terms and intruder deduction rules as rewrite rules 
on sets of messages representing the knowledge of an intruder. The intruder 
derives new messages from a given (finite) set of messages by applying deduction 
rules. Since we assume some equational axioms Ti. are satisfied by the function 
symbols in the signature, all these derivations have to be considered modulo the 
equational congruence generated by these axioms. In the setting of [17] an 
intruder deduction rule is specified by a term t in some signature Q. Given values 
for the variables of t the intruder is able to generate the corresponding instance 
oft. 

Definition 3. An intruder system J is given by a triple {Q,S,T-i) where Q is a 
signature, S C T{Q,X) and Ti. is a set of equations between terms in T{Q,X). 
To each t E S we associate a deduction rule L* : Var(t) t . The set of rules 
Lx is defined as the union o/L* for all t G S . 

Each rule Z -» r in Lx defines an intruder deduction relation -^i^r between 
finite sets of terms. Given two finite sets of terms E and F we define E F 
if and only if there exits a substitution cr, such that la =-h I' , ra ~t-c r' , I' C E 
and F ^ E IJ {r'}. We denote -»x the union of the relations ^i^r for all / ^ r 
in Lx and by the transitive closure of ^j. Note that by definition, given 
sets of terms E, F and F' such that E —u E' and F —h F' by definition 



we have E -^x F iff E' -^j F' . We simply denote by the relation when 

there is no ambiguity about I. 

A derivation D of length n, n > 0, is a sequence of steps of the form i?o -^x 

Eq, ti -»i • • • -^x En with finite sets of terms Eq, . . . En, and terms ti, . . . , 

such that Ei = Ei-i U {tj} for every i G {1, . . . , n}. The term i„ is called the 

X 

goal of the derivation. We define E to be equal to the set of terms that can be 
derived from E. If there is no ambiguity on the intruder deduction system X we 
write E instead of E . 

3.4 Simultaneous constraint satisfaction problems 

We now introduce the constraint systems to be solved for checking protocols. It is 
presented in [17] how these constraint systems permit to express the reachability 
of a state in a protocol execution. 

Definition 4. (T-Constraint systems) LetX ~ {Q^S^H) he an intruder system. 

X-constraint system C is denoted {{Ei t> ..,«}, 5) and is defined by a 

sequence of pairs {Ei, fi)i6{i....,Ti} with Vi € X , Ei C T{Q, X) for i e {1, . . . , n}, 
and Ei-i C Ei for i e {2,...,n}, and \ai{Ei) C {vi, . . . ,Vi-i\ and by an 
Ti-unification system S. 

An X-Constraint system C is satisfied by a substitution a if for all i G 
{1, . . . , n} we have Via G Eia and if o S . We denote that a substitution a 
satisfies a constraint system C by a C. 

Constraint systems are denoted by C and decorations thereof. Note that if a 
substitution ct is a solution of a constraint system C, by definition of deduction 
rules and unification systems the substitution (ct)J, is also a solution of C. In 
the context of cryptographic protocols the inclusion Ei-i C Ei means that the 
knowledge of an intruder does not decrease as the protocol progresses: after 
receiving a message a honest agent will respond to it, this response can then 
be added to the knowledge of the intruder who listens to all communications. 
The condition on variables stems from the fact that a message sent at some 
step i must be built from previously received messages recorded in the variables 
Vj,j < i, and from the ground initial knowledge of the honest agents. 

Our goal will be to solve the following decision problem for the intruder 
deduction system modelling a signature scheme having the DSKS property. 

X-Reachability Problem 

Input: An X-constraint system C. 

Output: Sat iff there exists a substitution a such that a |=i C. 



4 Symbolic model for key substitution attacks 

A digital signature scheme is defined by three algorithms: the signing algorithm, 
the verification algorithm and the key generation algorithm. The last algorithm 



generates for each user a pair of keys, one of them will be used as signing key and 
will be kept secret, while the other is public and will be used as a verifying key. 
We abstract the key generation algorithm with two functions, PK(_) and SK(_) 
denoting respectively the verification and signature keys of an agent. We assume 
it is not possible, given an agent's name A, to compute PK{A) or SK(A). The 
signature of a message m with signature key k is a public algorithm Sig(_, _), 
and the resulting signed message is denoted Sig(m, fc). We consider signatures 
with appendix, where the verification algorithm Vcr(_, _, _) -which is available to 
everyone- takes in its input a message to, a signature s and the public verification 
key k. The application of the algorithm is denoted Ver(TO, s, k), and its outcome 
can be (s is not the signature of to with the signature key associated with the 
verification key k) or 1 (s is a valid signature). 

In addition to these functions, we add two new functions, P'K(_, _) and 
S'K(_, _), which arc public and take as argument a signed message s and a ver- 
ification key k corresponding to this signed message, and output respectively a 
verification and a signature key denoted P'K(s, k) and S'K(s, k). The verification 
of s with the verification key P'K(s, fc) succeeds. 

Given this informal description, the equational theory H.-dsks to which these 
operations abide by is presented by the following set A-dsks of equations: 

r Vcr(.T,Sig(x,SK(y)),PK(2/)) = 1 

AvsKS = { Vcr(x,Sig(x,S'K(2/i,y2)),P'K(yi,y2)) = 1 

[ Sig(x,S'K(PK(y),Sig(x,SK(y)))) = Sig(x,SK(y)) 

The public operations defined above are now translated into an intruder 
system XosKs = {QvsKSi I^'DSKSi'Hvsks) with: 

f QvsKS = {Sig, Ver, S'K(_, .), P'K(., _), 0, 1, SK, PK} 

1 CvsKS = {Sig(a:;, y), Ver(x, y, z), S'K(x, y), P'K(a;, y), 0, 1} 

Note that the presentation AxisKS is not convergent, and thus we cannot 
apply results on basic narrowing as is. To this end we introduce a rewriting sys- 
tem TZ-DSKS which is convergent and obtained by Knuth-Bcndix [6] completion 
on A-DSKS, and such that two terms have the same normal form for TZ-dsks iff 
they are equal modulo TivsKS- 

Lemma 1. H-dsks generated by the convergent rewriting system: 

'Ver(x,Sig(a;,SK(y)),PK(y))^l 

^ I Ver(x,Sig(a;,S'K(yi,y2)),P'K(yi,y2)) ^ 1 
i^vsK.s \ g.g(^^ sj^(y))^ P'K(PK(y), Sig(x, SK(y)))) ^ 1 

^ Sig(x, S'K(PK(y), Sig(x, SK(y)))) ^ Sig(.T, SK(y)) 

Proof. The application of the Knuth-Bendix completion procedure [6] to 
TIVSKS gives us the convergent rewriting system TZvsKS- This rewriting sys- 
tem generates TLdsks, this conclude the proof. 

□ 



5 Symbolic model for DEO attacks 

A digital signature scheme is vulnerable against destructive exclusive owner- 
ship (DEO) if it is computationaly feasible for the intruder, given Kp^i, and a 
pair (m, s) such that Yer{Kpub,'m, s) = 1, to produce values i^^^f,, K'^^^^,, m' 
and s' such that K'^^^^ ^ K^ub, K'^^.^^ matches K'^^^^, s' = s, m' ^ m and 
Ver(if;„„m',s) = l. 

A digital signature scheme is defined by three algorithms: the signing al- 
gorithm, the verification algorithm and the key generation algorithm. These 
algorithms have the same properties as above (section 4). We abstract the sig- 
nature scheme with the following functions symbols: PK(_), SK(_), Sig(_, _) and 
Ver(_, _, _). In order to model DEO attacks, we introduce three functions sym- 
bols, P"K(_, _), S"K(_, _) and f(-, _) which are public and take as argument a 
signed message s and a public verification key kp^t corresponding to this signed 
message, and output respectively a new verification key, a new signature key and 
a new message denoted P"K(s,A;), S"K(s,fcp„b) and f(s,fcp„b). The verification 
of s with the new public key P"K(s, kpub) and the message f(s, kpub) succeeds. 

Given this informal description, the equational theory Ti-Deo to which these 
operations abide by is presented by the following set At>£o of equations: 



rVer(a;,Sig(x,SK(y)),PK(y)) = l 

Av£0 = { Ver(x,Sig(x,S"K(yi,2/2)),P"K(yi,y2)) = 1 

[ Sig(f(PK(y), Sig(x, SK(y))), S"K(PK(2/), Sig(x, SK(2/)))) = Sig(x, SK(y)) 

The public operations defined above are now translated into an intruder 
system JoEo = {Qv£0, t^V£0-,'Hv£o) with: 

Qv£0 = {Sig, Ver, S"K(_, .), P"K(., _), f, 0, 1, SK, PK} 
Cv£0 = {Sig(.T, v), Ver(a;, y, z), S"K(x, y), P"K(a;, y), f(x, y), 0, 1} 

Note that the presentation At>£0 is not convergent, and thus we cannot apply 
results on basic narrowing as is. To this end we introduce a rewriting system 
'R-DEO which is convergent and obtained by Knuth-Bendix [6] completion on 
At>£Oj and such that two terms have the same normal form for TZdeo iff they 
are equal modulo Ti.v£0- 

Lemma 2. Ti.T>£o is generated by the convergent rewriting system: 



n 



DEO 



( Ver(x,Sig(x,SK(y)),PK(y)) -> 1 

I Ver(x,Sig(x,S"K(yi,y2)),P"K(yi,y2)) ^ 1 

] Vcr(f(PK(y), Sig(x, SK(y))), Sig(x, SK(y)), P"K(PK(y), Sig(x, SK(y)))) ^ 
I Sig(f(PK(y), Sig(x, SK(y))), S"K(PK(y), Sig(x, SK(y)))) ^ Sig(x, SK(y)) 



6 Decidability of unifiability 

It can easily be shown, using the criterion of termination of basic narrowing 
on the right-hand side of rules of TZdsks (resp. TZdeo), that basic narrowing 



terminates when applied with the rules of TZdsks (resp. the rules of TZdeo)- The 
main result of [7] then implies the following proposition, when applying basic 
narrowing with TZdsks (resp. TZdeo) non-deterministically on the two sides 
of an equation modulo TZdsks (resp. TZdeo) and terminates with unification 
modulo the empty theory. 

Proposition 1. Basic narrowing is a sound, complete and terminating proce- 
dure for finding a complete set of most general T-L-psiCS -unifiers (resp. Tivso 
unifiers). 

One can actually be more precise, and we will need the following direct 
consequence of HuUot's unification procedure, that states that applying basic 
narrowing permits one to "guess" partially the normal form of a term t. 

Lemma 3. Let t he any term and a he a normalised substitution. There exists a 
term t' and a substitution a' in normal form such that t t' and t'a' = itcr)l 

where ^b.n. represent a basic narrowing relation modulo TivsKS (resp. modulo 
Ti-vso)- 

While this presentation by a convergent rewrite system ensures the decidabil- 
ity of unification modulo TivsKS (resp. modulo Ti-Dso), wc prove bellow that 
the unifiability problem, as well as the partial guess of a normal form, is in fact 
in NPTIME. 

Complexity of unification 

Theorem 1. Let t be a term and (D) be a basic narrowing derivation modulo 
TivsKS (resp. modulo Ti-oeo) starting from t . Then, the length of (D) in bounded 

bym. 

Proof. Let us prove the theorem for the basic narrowing derivations modulo 
TivsKS- Let i be a term and D be a basic narrowing derivation starting from 
t, D : t = to ~^b.n ti '^b.n ■•■ ~^6.n ^n- TZdsks IS Convergent and any basic 
narrowing derivation starting from the right members of the rules of TZdsks 
terminates, then, by [7], {D) terminates. Let us prove that ||D|| < Let 
Po = P(io) be the number of distinct subterms of to where we can apply the 
basic narrowing. We note that if the basic narrowing can be applied on a term 
s at a position p and if there exists another subterm of s at position q such that 
t\p = i|g, we apply the basic narrowing at the positions p and q at the same 
time. Let ti -^b.n ^i+i be a step in (D) and let U ^ ri € TZdsks be the applied 
rule. For any I —> r € TZdsks y f is not narrowable. By the fact that is not 
narrowable and by the definition of basic narrowing [7], we have Pi+i < Pi. We 
deduce that ||D|| < Pq, but Pq < poll then \\D\\ < \\t\\. 

The case of derivations modulo Ti-pso is analogoes. □ 



Corollary 1. The T-i-psjc^ -unifiability (resp. T-L^pgo -unifiability) can be decided 
in NPTLME. 



Proof. Let us prove the corollary for Tix'SKS-unifiability. Let P and Q be 
two terms. TZdsks is convergent and any basic narrowing derivation starting 
from the right members of the rules of TZdsks terminates then, there exists an 
TiijS/fS-unification algorithm (proposition 1). Let us prove that this algorithm 
runs in NPtime. Suppose M = H{P,Q), {H is a new function symbol repre- 
senting the cartesian product), and m = ||M|j = ||P|| + ||Q|| + 1- For any basic 
narrowing derivation D starting from M, we have ||Z?|| < m (Theorem 1). Sup- 
pose that our algorithm always explore the right branch, then, starting from any 
term M, the algorithm will be perform at most ||M|| steps before halting. Then, 
we have the corollary. 

By the same reasoning, we prove that Hpgo-unifiability can be decided in 
NPTIME. □ 

7 Saturation 
7.1 Construction 

Let TL be an cquational theory presented by a convergent rewrite system TZ. The 
saturation of the set of deduction rules C defined modulo the cquational theory 
Ti is the output of the application of the saturation rules of Figure 1 starting 
with C = C until any added rule is subsumed by a rule already present in C . 

Subsumption : /i C I2 

£'^C'\ {I2 ^ r} 
h ^ ri £ a , {tM) r2 e C t ^ X 

Closure : £' ^ £' U {(/i, -*» ra)^} = mgu^{ri,t) 

l^reC {l,r) -^h.n. {I' ,r') 

Narrow : 

C ^C'U {I' ^ r'} 

Fig. 1. System of saturation rules. 

The application of the saturation rules on CvsKS (resp. on CvEo) termi- 
nates, and yields the following sets of rules: 

C-DSKs' = CvsKS U X, SK(y) ^ Sig(x, SK(y)) U x, S'K(PK(2/), Sig(x, SK(y))) 
Sig(a;, SK(j/)) and 

Cvso = Cvso U f(PK(2/),Sig(x,SK(2/))),S"K(PK(y),Sig(x,SK(2;))) ^ 
Sig(x,SK(y)) 

We define four new extended intruder systems: 2^dsks = 

{Qveo,C.V£o' ,'Hdeo) and X02 = {Qv£0,C,V£o' ,^)- These intruder sys- 
tems do not satisfy the requirements that the left-hand side of deduction rules 
have to be variables. The deduction relation, the derivations and the set of 
reachable terms are defined as usual from ground instances of deduction rules. 



7.2 Properties of a saturated system 

In the rest of this paper, we suppose H, TZ, C, C\ X = {Q, £, Tl), T' = {Q, C , TL) 
and Iij, = {g,C',9) to be either respectively HvsKS, T^vsics, ^VSKS, '^'vsKS^ 
^DSKSi ^^DSKsOr respectively Hvso, Ti-vso, ^vsOi ^'veo^ ^oeo, 2'deo- 

Let us first prove that the deduction system obtained after saturation gives 
exactly the same deductive power to an intruder. 

Lemma 4. For any set of normal ground terms E and any normal ground term 
t we have: E —f>\ t if and only if E -^j, t. 

1 

Proof. First, let us assume that t ^ E , that is, there exists a X-derivation 
{D) starting from E of goal t, and let us prove that there exists a Z'-derivation 
starting from E of goal t. If there exists a step in the derivation D which uses a 
rule I ^ r £ C but not in then, by construction of C , there exists another 
rule — » r in C such that li C I and thus that can be applied instead of / r. 
We conclude that E t. 

For the reciprocal, let us assume that there exists a X'-derivation starting 
from E of goal i, and let us prove that there exists a Z-derivation starting from 
E of goal t. We begin by defining an arbitrary order on the rules of and we 
extend this order to the rules of £' \ £ as follows: the rules of L are smaller than 
the rules of £' \ £ and the rules oi C \C are ordered according to the order of 
their construction during the saturation. Let M(_D) be the multiset of deduction 

rules applied in D. Let n{E, t) = {D \ D : E ^* t}. Since t eE^ , Q{E, t) ^ 0. 
Let be a derivation in f2{E,t) having the minimal M{D), and let us prove 
that D does not use rules in £' \ C. By contradiction, suppose that D uses a rule 
I ^ r £ C \ C. Since I ^ r ^ it has been constructed according to the rules 
of saturation. Let us review the possible cases: 

— It I ^ r has been constructed by the third rule of saturation, there exists a 
rule li ^ ri E C such that (/i,7'i) „ (^^)- By definition of deductions, 
h ^ fi can be applied instead ot I r. Let {D') be the derivation where 
I' -» r' replaces I r, {D') is in f2{E,t). Since li ri has an order smaller 
than the order of / -» r, we have M(D') < M{D), which contradicts the 
minimality of M{D). 

— It I ^ r has been constructed by the second rule of saturation, there exists 
two rules h ri and s, I2 r2 in C such that ^ = mgu(ri, s), s ^ X, I = 
{{li, 12)1^)1 and r = {r2n)i - suppose that / ^ r is apphed on the set of terms 
F, F ^i-»r F,g. Since (/cr)i C F and {ra)l = g for a substitution tr, we 
have {lifia)l C F and ((s, /2)Mcr)J, C F\j{rifj,a)l, this imphes that F -^i^^n 
F, {ri^a)i -*i2.s^r2 -P": ('^iM"')!: 5- Let {D') be the derivation where li -» ri 
and s, I2 -» r2 replace / -» r. {D') is in t). Since li ri and s, I2 ^ ^2 
have an order smaller than the order of / ^ r, we have M{D') < M{D) which 
contradicts the minimality of M{D). 



We conclude that (D) does not use rules in C \ C, then, we have the reciprocal 
of the lemma. □ 



Moreover, we can prove that when considering only deductions on terms 
in normal form and yielding terms in normal form, it is sufficient to consider 
derivations modulo the empty theory (Corollary 2). 

Lemma 5. Let E (resp. t) be a set of terms (resp. a term) in normal form. We 
have: E E^ t if and only if E E, t. 

Proof. Assume first E -^j/ E,t. There exists a rule I ^ r E C and a sub- 
stitution a in normal form such that {la)l C E and t ~ (rCT)J,. By Lemma 3, 
there exists a set of terms Z', r', and a substitution a' in normal form such that 
I -^1^ ^ l\ r ^ r', and {1(t)1 = I'a', and {ra)i = r'a'. By the saturation, we 
have added at some point I' -» r' to C . Either this rule is present in the final C 
and can be applied, or it is subsumed by a rule that can be applied on E. The 
converse is left to the reader. □ 

Corollary 2. Let E (resp. t) be a set of terms (resp. a term) in normal form. 
We have: E -^j, E, t if and only if E —^x^, ^' 

Next lemma states that if a term in the left-hand side of a deduction rule of 
the saturated system is not a variable, then we can assume it is not the result 
of another saturated deduction rule. 

Lemma 6. Let E (resp. t) be a set of terms (resp. a term) in normal form. If 

t £ E , then there exists a Jij-derivation starting from E of goal t such that: 
for all Ig rules I —>* r applied with substitution a, for all s G I \ X , we have 
sa C E. 

Proof. Let us prove by induction on the length n of a derivation D starting 
from E of goal t that either D satisfies the property or their exists another 2^- 
derivation D' of length smaller to n starting from E of goal t which satisfies the 
property. 

The case n = 1 is obvious. 

Suppose that the lemma is true for derivations of length < n and let us prove it 
for derivations D of length n + 1. 

D : E = Eq -»'~^ Ei^i Ei-i,ti -» ... En En,t. Suppose that D 
does not satisfy the property, there exists a step i in _D where the rule I r is 
applied with the substitution a, and there exists s G I \ X such that sa ^ E. 
Since sa ^ E, it has been constructed at some step j < i. We have: 
D : E Ej-i ~^ Ej_i,sa . . . ^ Ei ^ Ei,ti —>*...—>* E^ En,t. 

Let Ij rj G C be the rule applied, with the substitution t, to construct 
sa. Since r^r = sa, rj and s are unifiable with /i = mgu(rj, s). Then the rule 
(Zj , Z \ s —f> r)/i has been constructed. Since /x is a substitution most general than 
a, it can be applied on Ei to yield ti. This implies that we can reduce D to: 
D' : E Ej ■ . ■ Ei -» Ei,ti ... -» En -» En, t where the 

construction of sa is spell and the applied rule at the step i is (Ij, I \ s)n -» r/x. 
We note that HZ^'H < ||-D||, then HZ^'H < n. By induction, cither D' satisfies 
the property or there exists another Zg-dcrivation D" starting from E of goal t 
which satisfies the property. Then, we have the lemma for derivations of length 
n-|-l and this concludes the proof. □ 



8 Decidability of reachability 



The main result of this paper is the following theorem. 

Theorem 1 The TDSKs-Rs3chability (resp. loEo-Reachability) problem is decid- 
able. 

The rest of this paper is devoted to the presentation of an algorithm for solv- 
ing XosKs-Reachability (resp. 2oEo-Reachability) problems and to a proof scheme 
of its completeness, correctness and termination. This decision procedure com- 
prises three different steps. 

Let C be an Z-constraint system. 

8.1 First step: guess of a normal form 

Step 1. Apply non-dcterministically basic narrowing steps on all subterms of C. 
Let Co = {(-^1° O w°)ig{i^....„},iS°} be the resulting constraint system. 

Remark. Let cr be a solution of the original constraint system, with a in normal 
form. This first step will non-deterministically transform each t G Sub(C) into a 
term t' such that, according to Lemma 3 we will have {tij)l = t'a' . 

8.2 Second step: resolution of unification problems 

Step 2. Solve the unification system 5" modulo the empty theory, and apply 
the obtained unifier on the deduction constraints to obtain a constraint system 

C' = {(i5,'^tO.:6{i,....n}} 

Remarks. We prove below that if there exists a solution to the original constraint 
system, then there exists a solution of C for the extended intruder system X0. 
C itself is not a constraint system, but an extended constraint system. 

Lemma 7. If a is a substitution in normal form such that a \=x C, there exists 
a C at Step 2 and a substitution a' in normal form such that C ^ C and 

Proof. By definition a \=x C implies that for all i G {1, . . . , ?i} we have a \=x 
{Ei >ti). Thus there exists by Lemma 4 an X'-derivation starting from {Eia)l to 
(tia)l. Since a is in normal form, by lemma 3, there exists E'^, t[ and a' in normal 
form such that E, -w* E'^, t, ->j; „ t'^, {E,a)l = E'^a' and {t,a)i = t'^a' for all 
i G {1, . . . By Lemma 5 (-Eicr)i ->J, (ticr)i then implies {Eia)l -^j^ {tia)l 
Since {E,a)l = E'^a' and {t^a)[ = t[a' then, a' {E[t>t'^) for alH G {1, . . . , n} 
and thus we have the lemma. □ 



Apply : 

Cc,E^>t,Ci3 l^,li,...,l^ r £ C' and C X,t ^ X 

{Cc., {E [> y)j,ei^, C^)a ei, . . . , e„ G £ and a = mgu{\{e, = /Oi, = t]) 

C^,E>t,C0 u,t<tX 
Unit ; ^ j:, / ,x 

(Ca,C^)cr "S-^' G = mgu(u,t) 

Fig. 2. System of transformation rules. 
8.3 Third step: Transformation in solved form 

Stej) 3. To simplify the constraint system, we apply the transformation rules 
of Figure 2. Our goal is to transform C into a constraint system such that the 
right-hand sides of deduction constraints (the ti) are all variables. When this is 
the case, we say that the constraint system is in solved form. It is routine to 
check that a constraint system in solved form is satisfiablc. 

Lemma 8. Let C = {Ca,E O t,Cp} be such that Ca is in solved form. Then, for 
all substitution a, a \= C if and only if a \= {Ca, {E \ X) l> t, C/j} . 

Proof. It suffices to prove that \i x £ E X and cr is a substitution such that 
a \= C, then we have cr |= {Ca, {E\ {x}) O t,Cp}. Given x £ E there exists a 
set of terms E^ Q E such that E^ l> x £ Ca. Since cr ^ C we have a \= E^ l> x, 
and by the fact that E^ Q E \ {x} we have a \= E\ {x{ \> x. Since we also 
have a \= {E \> t) this implies a \= E\ {x{ > t. The reciprocal is obvious since 
E\{x}(^E. □ 

It also can be proved that the lazy constraint solving procedure terminates. 
This lemma also helps us to prove the completeness of lazy constraint solving 
(stated in Lemma 11). 

Lemma 9. (DSKS-termination.) Let C be an Xdsks -constraint system. The 
application of transformation rules of the algorithm using -Cpsjcs rules termi- 
nates. 

Proof. Let nbv(C) = |Var(C)| be the number of variables in C, and M{C) 
denote the multiset of the right-hand side of deduction constraints in C. Let us 
prove that after any application of a transformation rule on a constraint system 
C = {Ca, E\>t) (where Ca is in solved form), either nbv(C) decreases strictly, or 
the identity substitution is applied on C during the transformation and M.(C) 
strictly decreases. 

The first point will ensure that after some point in a sequence of transfor- 
mations the number of variables will be stable, and thus from this point on 
M{C) will strictly decrease. The fact that no more unification will be applied 
and that the extension of the subterm ordering on multisets is well-founded will 
then imply that there is only a finite sequence of different constraint systems, 
and thereby the termination of the constraint solving algorithm. 

This fact is obvious if the Unif rule is applied, since it amounts to the uni- 
fication of two subterms of C. It is then well-known that if the two subterms 



are not syntactically equal, the number of variables in their most general unifier 
is strictly less than the union of their variables, which is included in Var(C). If 
they are syntactically equal, then no substitution is applied, and thus denoting 
C the result of the transformation, we have A4{C) = 7W(C') U {t}, and thus 
M{C') < MiC). 

Let us now consider the case of the Apply rule, and let C be the obtained 
constraint system. If the underlying intruder deduction rule is in Cx>skSi the 
fact that t is not a variable implies that the variables of the right-hand side of 
the rule will be instantiated by the strict maximal subtcrms ti, . . . ,1^. of t. We 
will thus have: 

M{C')=M{C)\J{tu...,t^]\{t} 

and thus M{C') < M{C). 

It now suffices to prove the Lemma for the two rules in Cj^gf^g \ CvsKS- 

rule x,SK{y) Sig(x, SK(y)): The substitution a appHed is the most general 

unifier of the unification system |sig(a;, SK(y)) =t,SK{y) = u| for some 

u & E. Since this is syntactic unification and since we can assume neither u 
(by Lemma 8) nor t (by definition of the Apply rule) are variables, we must 
have u = SK(?i') and t ~ Sig(ti, ^2)- The second equation thus yields y = u', 
with u' G Sub(C). Replacing in the first equation, a is the most general 

unifier of the equation Sig(a;, SK(m')) = Sig(ti,i2), which reduces into the 
set of equations |a; = ti, SK(m') = ^2 |- The first equation implies that x is 
instantiated by a strict subterm ti of t. If the second equation is trivial we 
have MiC) = M{C)U {ti}\ {t}, and thus X(C') < M{C). Otherwise, since 
Var(SK(it')) U Var(t2) C Var(C) we have nbv(C') < nbv(C). 
rule X, S'K(PK(y), Sig(a;, SK(y))) -» Sig(2;, SK(y)): The substitution 
(T applied is the most general unifier of the unification system 

|sig(x,SK(?/)) = t,S'K(PK(j/),Sig(a;,SK(?/))) uj for some u e E. 

Since this is syntactic unification and since we can assume neither u (by 
Lemma 8) nor t (by definition of the Apply rule) are variables, we must 
have u = S'K(it']^, Uj) and t = Sig(ti,t2)- If is the identity on C, we are 
done, since in this case we have M{C') = M{C) U {ti} \ {t} and thus 
A4{C') < Ai{C). Otherwise let us examine how the unification system is 
solved. It is first transformed into: 

{x = h, SK(y) 1 12, PK(y) I u[, Sig{x, SK{y)) = ,4} 

Resolving the first equation yields (note that x ^ Var(C)): 

{sK(y) = t2,PK(y) = u[, Sig(ti, SK(y)) = u'^} 

Let us consider two cases, depending on whether both u[ and ^2 are variables: 
~ If they are both variables, then solving the first equation removes t2 
from Var(C) but adds a variable y. The second equation will also remove 



u'l, but since the variable y is already present, it will not add another 
variable. Since PK{y) and SK(y) are not unifiable, we note that we must 
have t2 7^ u'l, and thus we have removed two variables and added one 
by solving the two first equations. The remaining equation contains only 
variables of the "intermediate" constraint system, and thus will not add 
any new variable. In conclusion, in this case, the number of variables of 
C decreases by at least 1. 
— If say t2 is not a variable, and thus t-z = SK(<2), with G Sub(C). 
Resolving the first equation and injecting the solution in the remaining 
equations yields the unification system: 

{PK(i^)=«;,Sig(ti,SK(4))=ui} 

Note that up to this point the substitution a that we built does not 
affect any variable of C. If this remaining unification system is trivial, 
then the substitution applied on C is the identity, we are done (see above). 
Otherwise, since all the variables in this system are in Var(C), it strictly 
reduces nbv(C). This terminates the proof of this case. 
Thus, if this rule is applied, either no substitution is applied on C and M{C) 
strictly decreases, or the number of variables in the resulting constraint sys- 
tem C is strictly smaller than the number of variables in C. 

□ 

Lemma 10. (DEO-termination.) LetC be an 2 oeo- constraint system. The ap- 
plication of transformation rules of the algorithm using C-pso' rules terminates. 

Proof. Let C = {(^'i l> ii)iG{i,....n}} be an Xc^o-constraint system not in 
solved form and let the complexity of C be a couple ordered lexicographically 
with the following components: 

— nbv(C), the number of distinct variables in C, 

— A4{C) the multiset of the right-hand side of deduction constraints in C. 

We have to show that each rule reduces the complexity. The fact is obvious if 
the Unif rule is applied, since it amounts to the unification of two subterms of 
C. If is then well-known that if two subterms are not syntactically equal, then the 
number of variables in their most general unifier is strictly less than the union of 
their variables, which is included in Var(C). If their are syntactically equal, then 
no substitution is applied, and thus denoting C the result of transformation, we 
have7W(C') < M{C). 

Let us now consider the case of Apply rule, and let C be the obtained con- 
straint system. If the underlying intruder deduction rule is in Cdeo, the fact 
that t is not a variable implies that the right-hand side of the rule will be 
instantiated by the strict maximal subterms ti, . . . ,tk of t. we will thus have 
M{C') = M{C)U{ti,...,tk}\{t} and thus 7W(C') < M{C). 

It is now suffices to prove the Lemma for the rule in Ct>so' \ ^vso- 



the applied rule is: f(PK(y), Sig(a;, SK(y))), S"K(PK(2/), Sig(x, SK(y))) ^ 
Sig(a;, SK(j/)). The substitution a is the most general unifier of the unification 

system {t^ Sig(x, SK(y)), ei = f(PK(2/), Sig(x, SK(y))), 63 S"K(PK(y), Sig(a;, SK(2/)))} 
for some ei, 62 G E. since it is syntactic unification and since we can assume 
neither ei, neither 62 (by Lemma 8) nor t (by definition of the Apply rule) are 
variables, we must have t ~ Sig(ii,t2), ei = f(vi,V2), and 62 = S"K{v3,V4). 

— If t2 G X, we have crix) = ti, cr(i2) = SK(y) and the unification system is 
then transformed into: 

[vi = FKiy),V2 = Sigih,SKiy)),V3 = PKiy),Vi = Sig(ti, SK(y))}. 

By the fact that is replaced by y, x,y ^ Var(C), and the number of 
variables in a is strictly less than the union of variables of the unification 
system, we deduce that nbv(C') < nbv(C). 

— If ^2 ^ then ^2 = SK(t3). We have (7{x) ~ ti, ay = and the unification 
system is then transformed into: 

{vi = PK(t3),«2 = Sig(<i,SK(t3)),«3 = PK(t3),l<4 = Sig(ti,SK(i3))}. 

if the unification system is obvious, that is a is the identity substitution, 
we have C = C\{E [> t), and then M{C') ^ M{C)\t which implies that 
M{C') < MiC). Else, we have nbv(C') < nbv(C). 

This concludes the proof. □ 

Lemma 11. If C is satisfied by a substitution a' , it can he transformed into a 
system in solved form by the rules of Figure 2. 

Proof. Let C be a deterministic constraint system not in solved form and let i 
be the smallest integer such that ti ^ A", then C = {Ca, Ej [> ti,Cp} where Ca is 
in solved form. Let ct be a substitution such that tr |=ij C, and let us prove that C 
can be reduced to another satisfiable constraint system C by applying the trans- 
formation rules given in the algorithm, a |=X0 C, then a \=it„ {C^, Ei\X [> tijCp} 
(Lemma 8) and then, {Ei \ X)a ticr. We have two cases: 

— If tia e {Ei \ X)(j, there exists a term u E {Ei \ X) such that ua ~ tid. Let 
H be the most general unifier of u and ti, then a = 9fj,, and we can simplify 
C by applying the first transformation rule Unif, C C = {CafJ^^Cpfi}. We 
have cr Ca and a C/3, then 6 ^j,, {CaiJ.,Cp^i}. 

— If ti<T ^ {Ei \ X)a there exists a derivation starting from {Ei \ X)a of goal 
tia, and then from EiU of goal tia. By lemma 6, there exists a derivation 
starting from Eia of goal tia such that for all steps in the derivation such 
that Z — > r is the applied rule with the substitution a, for all s 6 / and s ^ X , 
we have sa C Eia. This implies that we can reduce C to C by applying the 
Apply rule of transformation and 6 \=x^ C . 

We deduce that for all satisfiable constraint systems C such that C is not in solved 
form. C can be reduced to another satisfiable constraint system C by applying 
the transformation rules. When applying the transformation rules to a constraint 
system, we reduce its complexity (Lemmas 9 and 10), this implies that when we 



reduce C, we will obtain at some step a satisfiable constraint system which can 
not be reducible, this constraint system is in solved form. This concludes the 
proof. □ 



Lemma 12. (Correctness.) Let C ~ { (^'i 1> ^i)ie{i,...,n} } o.nd C = 
{(-Ej' l> such that C is obtained by applying the basic-narrowing 

on the terms of C. For every substitution a' such that a' \=x^ C , there exists a 
substitution a such that a \=i C. 

Proof. We have C = {(-E* o tOre{i, ...,«}}, C C and C = 

{{El l> tOje{i.. ..,«}}• Let 9 be the composition of substitutions applied in the 
basic-narrowing derivation, for all i G we have {Eid)\, = E[ and 

{ti9)[ = t[. Let a' be a substitution such that a' ^i^, C, for alH G {1, . . . , n} 

we have t'^cr' e E'-cr''^'', this implies that for all i G t\a' G E'^a'^ 

X 

(Corollary 2), and then, for alH G {1, . . . , n} t[cr' G E'-a' (Lemma 4). From the 
fact that {Ei9n)i = E- and {ti9n)i = for all i G {!,... ,n}, we deduce that 
ti9a' G EiOcr' for all i G {1, . . . , n} and this conclude the proof. □ 

9 Conclusion 

Besides the actual decidability result obtained in this paper, we believe that 
the techniques developed to obtain this result, while still at an early stage, are 
promising and of equal importance. Several recent work [4, 13] have proposed 
conditions on intruder systems ensuring the decidability of reachability with 
respect to an active or passive intruder. In a future work we plan to research 
whether the given conditions imply the termination of the saturation procedure 
and the termination of the symbolic resolution. 
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